Security

A technical breakdown of CVE-2026-42208, a CVSS 9.3 critical unauthenticated SQL Injection vulnerability in the LiteLLM Proxy API. Improper parameterization of the Bearer token within raw SQL queries used for complex multi-table joins allows blind boolean-based timing attacks, enabling unauthenticated attackers to exfiltrate sensitive data including virtual API keys, user information, and LLM spend logs directly from the database.